GoDaddy Revokes Nearly 9,000 SSL Certificates

GoDaddy informed customers this week that it has revoked nearly 9,000 SSL certificates after discovering a software bug that made its domain validation process unreliable.

According to the company, the bug was introduced on July 29, 2016, as part of a routine code change meant to improve the certificate issuance process. GoDaddy learned about the problem from Microsoft on January 6 and revoked the affected certificates on January 10. The certificates will be reissued in the upcoming period.

When it validates a domain name for an SSL certificate, GoDaddy provides the customer a random code and asks them to place it in a specific location on their website. The validation process is complete when GoDaddy’s systems find the code on the customer’s website.

As a result of the bug introduced in July, if the web server was configured in a certain way, the system validated domains even when the code was not found.

“Prior to the bug, the library used to query the website and check for the code was configured to return a failure if the HTTP status code was not 200 (success). A configuration change to the library caused it to return results even when the HTTP status code was not 200,” explained Wayne Thayer, VP and General Manager of Security Products at GoDaddy. “Since many web servers are configured to include the URL of the request in the body of a 404 (not found) response, and the URL also contained the random code, any web server configured this way caused domain control verification to complete successfully. “

GoDaddy has identified 8,951 certificates issued without proper domain validation, which represents roughly 2 percent of the total number of certificates issued between July 29, 2016, and January 10, 2017. The web-hosting giant said the incident has affected approximately 6,100 customers.

Impacted users have been offered a new certificate at no cost; a request has already been submitted on their behalf by GoDaddy in their SSL Panel. Affected websites will continue to work and the connections will continue to be encrypted, although web browsers might display warning messages.

GoDaddy said it was not aware of any cases where this bug had been exploited to procure a certificate for an unauthorized domain. Both Google and Mozilla have been notified about the incident.

“Unfortunately, this is not an isolated incident for the CA industry: Recently, an error by GlobalSign locked out traffic to their customers’ websites for days and Symantec discovered to be issuing unauthorized certificates,” said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi.

“This is a clearly a wakeup call for businesses. Trust in digital certificates enables the global economy and impacts every Internet user, business, and government but businesses rely on manual methods to manage them. To protect your business you must know the location of every certificate in use and be able to replace any of them instantly,” Bocek added.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.